[15903] in cryptography@c2.net mail archive
Any TLS server key compromises?
daemon@ATHENA.MIT.EDU (Marc Branchaud)
Fri Aug 13 18:16:03 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 12 Aug 2004 13:34:09 -0700
From: Marc Branchaud <marcnarc@rsasecurity.com>
To: cryptography@metzdowd.com
This is a cryptographically signed message in MIME format.
--------------ms030709060807000104070004
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
I've been wondering, has a TLS server (or client, for that matter) key
ever actually been compromised? I don't think I've ever heard of one.
I'm thinking of two possible avenues for compromise, and ignoring
insider attacks. One is through defects in the protocol itself or its
implementation. The other would be through a compromise of the server
host (e.g. a buffer overflow in Apache) that allows the attacker to copy
the TLS server's private key from the file system.
It seems to me that in-the-wild attacks on the protocol or its
implementation are unheard of.
OTOH, we hear about server break-ins all the time. However, one never
hears about these break-ins leading to a compromise of the server's key.
Perhaps the server's private key isn't a really useful target? Although
posession of the key makes it easy to spoof a secure server, actually
doing that spoofing requires a secondary attack, like phishing or an
active attack on the Internet, to redirect a user to the false server.
So have there ever been any actual TLS private key compromises (through
any non-insider attack)?
If TLS private keys aren't attractive enough a target for them to be
compromised even when the opportunity presents itself (as I'm assuming
it has), then to what extent do these keys really need to be protected?
M.
--------------ms030709060807000104070004
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIISqTCC
AtcwggJAoAMCAQICEFgUQCxch7Sxp7XFFauIqpwwDQYJKoZIhvcNAQEFBQAwbDEaMBgGA1UE
ChMRUlNBIFNlY3VyaXR5IEluYy4xHjAcBgNVBAMTFVJTQSBQdWJsaWMgUm9vdCBDQSB2MTEu
MCwGCSqGSIb3DQEJARYfcnNha2VvbnJvb3RzaWduQHJzYXNlY3VyaXR5LmNvbTAeFw0wMjA5
MDYxNDEzNTJaFw0wNzA5MDYxNDEzNTJaMIGCMRowGAYDVQQKExFSU0EgU2VjdXJpdHkgSW5j
LjEVMBMGA1UECxMMS0NBIFNlcnZpY2VzMRYwFAYDVQQDEw1SU0EgQ29ycG9yYXRlMRAwDgYD
VQQHEwdCZWRmb3JkMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQswCQYDVQQGEwJVUzCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqnOw876lPpMTkSqrqzpEON/609PDLEhmWX4tkC19
AHneDaoetL277GtYYXBCggP2E+s66MN1ccWXyApfWjCZkIHepPC08NVI1JRcbViW3kwLzDD2
w5T9QJcyL5V1pN/LQdxahM56TiLeXlPiJekdmTdJoo+5Pw4bQU+MxTqURk8CAwEAAaNjMGEw
HwYDVR0jBBgwFoAU9UwxelEDPyzXi5eZb6hxkKt4PZswHQYDVR0OBBYEFO2RCGt0t1lKkvah
HSJwJp8KrxaSMA8GA1UdEwQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB
BQUAA4GBAHiSe1a79hnPr16PuBwUTBWbuNQ4GJNsyfrCXzAswIT2A2WtGZ1Hp1jEAWi9OfAX
IYAdy52Jyv9N87wAEbLUgVmsFEIlYM5mi6ag7YIRGp8JP5UhLAN9O5YHrR9FsrGK4WmSl3sY
W1qAPOXubFcfhTgUDIYzM30izZBP4nwO07FpMIIC+DCCAmGgAwIBAgIQeuiOriTayCwjwpmR
gmdIUjANBgkqhkiG9w0BAQUFADCBgjEaMBgGA1UEChMRUlNBIFNlY3VyaXR5IEluYy4xFTAT
BgNVBAsTDEtDQSBTZXJ2aWNlczEWMBQGA1UEAxMNUlNBIENvcnBvcmF0ZTEQMA4GA1UEBxMH
QmVkZm9yZDEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czELMAkGA1UEBhMCVVMwHhcNMDIwOTIz
MTkxMzAzWhcNMDYwOTIzMTUxMzAzWjCBjDEaMBgGA1UEChMRUlNBIFNlY3VyaXR5IEluYy4x
FTATBgNVBAsTDEtDQSBTZXJ2aWNlczEgMB4GA1UEAxMXUlNBIENsYXNzIDIgUGVyc29uYWwg
Q0ExEDAOBgNVBAcTB0JlZGZvcmQxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxCzAJBgNVBAYT
AlVTMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkR9yiabyRo6+NwC3Sl8wPuUiBD3rP
sENNjXvzSbTAyXA8pDDndnlAa1nLUhSMgvn8g1sYMd0Bp+C1/mI5PFUZ8jukUK95yt+TK26L
hM/M5RUq/EINdDDdWzg9je498K6oGfyWR6ETSJbIrDe5qQcLCABs9E2gVKb7Z/FwFo3C9QID
AQABo2MwYTAPBgNVHRMECDAGAQH/AgECMA4GA1UdDwEB/wQEAwIBhjAfBgNVHSMEGDAWgBTt
kQhrdLdZSpL2oR0icCafCq8WkjAdBgNVHQ4EFgQUxpPuxqX+41WOz4ojH+6Y3iHyn6cwDQYJ
KoZIhvcNAQEFBQADgYEAcdRHBjq8GfdDoutUTJPtSzQd7XsdsQh2KBbu8utl92VQHuI0J5wc
Rc817G8YbmTtCt/xqAzrr6k7fdaoDBr/kBuVHA5FEJ94foPgrOlbT3zdziMATXh5ESSDLMx6
p8ITIsTJNmwszIG5P9AAKJCW48gu1ZZmLXhFbHcYJGf99pwwggMFMIICbqADAgECAhEAvhyf
0s21hKaAc2Nm1WX4LTANBgkqhkiG9w0BAQUFADCBuzEkMCIGA1UEBxMbVmFsaUNlcnQgVmFs
aWRhdGlvbiBOZXR3b3JrMRcwFQYDVQQKEw5WYWxpQ2VydCwgSW5jLjE1MDMGA1UECxMsVmFs
aUNlcnQgQ2xhc3MgMyBQb2xpY3kgVmFsaWRhdGlvbiBBdXRob3JpdHkxITAfBgNVBAMTGGh0
dHA6Ly93d3cudmFsaWNlcnQuY29tLzEgMB4GCSqGSIb3DQEJARYRaW5mb0B2YWxpY2VydC5j
b20wHhcNMDIwNDMwMTUzMDE5WhcNMTkwNDMwMDkyMTU1WjBsMRowGAYDVQQKExFSU0EgU2Vj
dXJpdHkgSW5jLjEeMBwGA1UEAxMVUlNBIFB1YmxpYyBSb290IENBIHYxMS4wLAYJKoZIhvcN
AQkBFh9yc2FrZW9ucm9vdHNpZ25AcnNhc2VjdXJpdHkuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQC0dSVa2EQ740GxqiIKsHATT4f8XYwUU23pzRe5W6IVpt4jkwDWkgnvTcP6
M8PD4OfK6Imal4hAH/c3K/dUIH7YyQZRGAE5Y27G5klZYKidcFlrfautgVES170MLKFmJqym
2FWAfVOibXatRcw7B0S+mP9404jID/MaIpRXkH5JjwIDAQABo1cwVTAMBgNVHRMEBTADAQH/
MA4GA1UdDwEB/wQEAwIBhjAWBgNVHSAEDzANMAsGCSqGSIb3DQUGATAdBgNVHQ4EFgQU9Uwx
elEDPyzXi5eZb6hxkKt4PZswDQYJKoZIhvcNAQEFBQADgYEAKsviXBc1FeBT2hIwyWuGwnPZ
J9ctjrsO7NbVLjsx/EYclFFGwo+pphiwdUTml9yd7fXzfk0D+7LOs9ZA5xhiHVrGusV4OW4i
7hx2KVILkYlcXCN5tDltKwa5+BkGUuvZdyAoIhpyf61h7uKCFguhaJ+VOiNB4DPtsmxI+KxO
E6YwggTZMIIEQqADAgECAhEAnBdMazU3Q45O4J+aPT8T5jANBgkqhkiG9w0BAQUFADCBjDEa
MBgGA1UEChMRUlNBIFNlY3VyaXR5IEluYy4xFTATBgNVBAsTDEtDQSBTZXJ2aWNlczEgMB4G
A1UEAxMXUlNBIENsYXNzIDIgUGVyc29uYWwgQ0ExEDAOBgNVBAcTB0JlZGZvcmQxFjAUBgNV
BAgTDU1hc3NhY2h1c2V0dHMxCzAJBgNVBAYTAlVTMB4XDTA0MDYyNTE4MTQxN1oXDTA1MDcy
NTE4MTQxN1owgb4xEzARBgoJkiaJk/IsZAEZFgNjb20xGzAZBgoJkiaJk/IsZAEZFgtyc2Fz
ZWN1cml0eTEaMBgGA1UEChMRUlNBIFNlY3VyaXR5IEluYy4xFjAUBgNVBAsTDU5vcnRoIEFt
ZXJpY2ExFDASBgNVBAsTC0VuZ2luZWVyaW5nMRcwFQYDVQQDEw5NYXJjIEJyYW5jaGF1ZDEn
MCUGCSqGSIb3DQEJARYYbWFyY25hcmNAcnNhc2VjdXJpdHkuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA4NsaEa/mv3bZ7hRvqEx2vrRrc3jmxWszYWFdokizRA+Hx0bv
OrZJwWBYF4IHB1uYLMo35ArVTMz9rQor5myYLyEqN+r7ArJgCR+i0ZyX/B7L35lmWg/bc4Q6
S0FbAR6/PCdGTHVZ4kXOzEKGHrv94WLVAXhjvWxgOk/L06512KJ5xbVaE6hOtkhaj2WZOx6Q
kl9Z/nTN80sptspTBWBNeJ7pBeCPbwIbEFc5N0DaYIZsxo/LqBMvcaX95NKOfp3p3gBr3EpM
KK9Zh+bUqoaxEGmae77kgNm712mRJ42c2Yk6Tw87NaDKZ94Ls2IVO8DCs+sb8L4BGMgAFfj+
ZxVjPwIDAQABo4IBgTCCAX0wgZIGA1UdIASBijCBhzCBhAYJKoZIhvcNBQcCMHcwLgYIKwYB
BQUHAgEWImh0dHA6Ly9jYS5yc2FzZWN1cml0eS5jb20vQ1BTLmh0bWwwRQYIKwYBBQUHAgIw
OTAYFhFSU0EgU2VjdXJpdHkgSW5jLjADAgEBGh1DUFMgSW5jb3Jwb3JhdGVkIGJ5IHJlZmVy
ZW5jZTApBgNVHSUEIjAgBgorBgEEAYI3FAICBggrBgEFBQcDAgYIKwYBBQUHAwQwIwYDVR0R
BBwwGoEYbWFyY25hcmNAcnNhc2VjdXJpdHkuY29tMA4GA1UdDwEB/wQEAwIHgDBGBgNVHR8E
PzA9MDugOaA3hjVodHRwOi8vY3JsLnJzYXNlY3VyaXR5LmNvbTo4MC9SU0FDbGFzczJQZXJz
b25hbENBLmNybDAfBgNVHSMEGDAWgBTGk+7Gpf7jVY7PiiMf7pjeIfKfpzAdBgNVHQ4EFgQU
NckP1K7ym+ety48x6icwc62af3owDQYJKoZIhvcNAQEFBQADgYEAZaY79tCaOcCYQooqBysf
jOsYJwZWI8RXj/WfwOyka2hVP6+dXP0tHw7fSnwCo2g/C859YGPINc0BYZOA7sfLNGWcKmh8
D63WQkJ+KMmeXmVVzL8HBMo+xBLe+6oa63nam60IFqg56jGsjOtEFwLoY6dTFD9sbDD9gXkM
HPrFn+UwggToMIIEUaADAgECAhAbzIIFNczTPM9ZLJR1RjosMA0GCSqGSIb3DQEBBQUAMIGM
MRowGAYDVQQKExFSU0EgU2VjdXJpdHkgSW5jLjEVMBMGA1UECxMMS0NBIFNlcnZpY2VzMSAw
HgYDVQQDExdSU0EgQ2xhc3MgMiBQZXJzb25hbCBDQTEQMA4GA1UEBxMHQmVkZm9yZDEWMBQG
A1UECBMNTWFzc2FjaHVzZXR0czELMAkGA1UEBhMCVVMwHhcNMDQwNjI1MTgxMjA1WhcNMDUw
NzI1MTgxMjA1WjCBwjETMBEGCgmSJomT8ixkARkWA2NvbTEbMBkGCgmSJomT8ixkARkWC3Jz
YXNlY3VyaXR5MRowGAYDVQQKExFSU0EgU2VjdXJpdHkgSW5jLjEWMBQGA1UECxMNTm9ydGgg
QW1lcmljYTEUMBIGA1UECxMLRW5naW5lZXJpbmcxGzAZBgNVBAMTEk1hcmMgQnJhbmNoYXVk
LUVuYzEnMCUGCSqGSIb3DQEJARYYbWFyY25hcmNAcnNhc2VjdXJpdHkuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwBjNaHTwtCXpdJg+iDxYMkWjuZIF0ic2fRLymZe+
BnZYWPnik0dFmTulx+V8slsLEtBllcc5o1yfIYfeHPinwRxv86kCUSlgfGGXKjJZaIeURgbo
bUbIfDTPlvRUZuiZvTR4C8tEY88Lle66n62B7wjUvDbiwK4EjzlXOkjpcYXLH7FbaFaRLDBB
PlFD5ydDRhQ67t6fjUeS7p7o/l/VHmPC5LFLXZkjEhjGd5pknbQIAbUGACL5UET85NUFPowD
3F47g0GCKEnuOsk2Ra+WHu7honhIxqmOwGnu85V6tW5xscf4dTofWZONQeaD3gSxv8+hcfKN
k9cwjpnUG2xGzwIDAQABo4IBjTCCAYkwNQYDVR0lBC4wLAYKKwYBBAGCNxQCAgYIKwYBBQUH
AwIGCCsGAQUFBwMEBgorBgEEAYI3CgMEMIGSBgNVHSAEgYowgYcwgYQGCSqGSIb3DQUHAjB3
MC4GCCsGAQUFBwIBFiJodHRwOi8vY2EucnNhc2VjdXJpdHkuY29tL0NQUy5odG1sMEUGCCsG
AQUFBwICMDkwGBYRUlNBIFNlY3VyaXR5IEluYy4wAwIBARodQ1BTIEluY29ycG9yYXRlZCBi
eSByZWZlcmVuY2UwIwYDVR0RBBwwGoEYbWFyY25hcmNAcnNhc2VjdXJpdHkuY29tMEYGA1Ud
HwQ/MD0wO6A5oDeGNWh0dHA6Ly9jcmwucnNhc2VjdXJpdHkuY29tOjgwL1JTQUNsYXNzMlBl
cnNvbmFsQ0EuY3JsMB8GA1UdIwQYMBaAFMaT7sal/uNVjs+KIx/umN4h8p+nMB0GA1UdDgQW
BBT/OiMCyY8CPnNBySW1ijJOYhj7ejAOBgNVHQ8BAf8EBAMCAzgwDQYJKoZIhvcNAQEFBQAD
gYEAoB86BxoZALTmT42nlPjCbvbKoxaZoIS9lXmQCB+DNpc690agBN7w+IQ9mR9yjnAvPhj8
tA/CuzFBjB0AJmkSjRorAO7VU7QpiTpP7VVo5+LBBVCkf0PoIFsbM0AuWewbG/EPqQCronub
AgiMUOmjoGyADw6SdCoXG40w7m99Wu0xggPrMIID5wIBATCBojCBjDEaMBgGA1UEChMRUlNB
IFNlY3VyaXR5IEluYy4xFTATBgNVBAsTDEtDQSBTZXJ2aWNlczEgMB4GA1UEAxMXUlNBIENs
YXNzIDIgUGVyc29uYWwgQ0ExEDAOBgNVBAcTB0JlZGZvcmQxFjAUBgNVBAgTDU1hc3NhY2h1
c2V0dHMxCzAJBgNVBAYTAlVTAhEAnBdMazU3Q45O4J+aPT8T5jAJBgUrDgMCGgUAoIICHTAY
BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNDA4MTIyMDM0MDla
MCMGCSqGSIb3DQEJBDEWBBQCYvaguD9irK/KiLduPqt33wnwLjBSBgkqhkiG9w0BCQ8xRTBD
MAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzAN
BggqhkiG9w0DAgIBKDCBsgYJKwYBBAGCNxAEMYGkMIGhMIGMMRowGAYDVQQKExFSU0EgU2Vj
dXJpdHkgSW5jLjEVMBMGA1UECxMMS0NBIFNlcnZpY2VzMSAwHgYDVQQDExdSU0EgQ2xhc3Mg
MiBQZXJzb25hbCBDQTEQMA4GA1UEBxMHQmVkZm9yZDEWMBQGA1UECBMNTWFzc2FjaHVzZXR0
czELMAkGA1UEBhMCVVMCEBvMggU1zNM8z1kslHVGOiwwgbQGCyqGSIb3DQEJEAILMYGkoIGh
MIGMMRowGAYDVQQKExFSU0EgU2VjdXJpdHkgSW5jLjEVMBMGA1UECxMMS0NBIFNlcnZpY2Vz
MSAwHgYDVQQDExdSU0EgQ2xhc3MgMiBQZXJzb25hbCBDQTEQMA4GA1UEBxMHQmVkZm9yZDEW
MBQGA1UECBMNTWFzc2FjaHVzZXR0czELMAkGA1UEBhMCVVMCEBvMggU1zNM8z1kslHVGOiww
DQYJKoZIhvcNAQEBBQAEggEAIu7/S81wz4kTY4yp5OOEGEBk7hNT7nvkkWk3EZJmvPWZTLS1
xwgw2SzRzDOHweGbOtVmEMWM0BEgu5GlcwGVypCrNpo7wpb8IOhfBSEmxCwEjwv2jmkJhsj0
RJbbrqHlqpP3RDGHw5KqySGhgVjB0CclV9ZGcuk7brihB8ZL1vNK/rI7utZy8pXptfbveb05
h8HZPZLAueJsokkDQEBEIPfAxV0TOFSSekMDcS+v4GcQWOHs7F8+MXOkABiQbWPdFF700w4B
LUz75jK3AbnoJOlK3Q/1+QxekZndUqD5EZheM6h/+e4sfwXBmKtpLNU2NXLGtRyOsOBFDVev
2HbyyAAAAAAAAA==
--------------ms030709060807000104070004--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
